The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/check-prerequisites.sh executes eval on the output of the get_feature_paths function. In scripts/common.sh, get_feature_paths generates a string by wrapping variables like REPO_ROOT and CURRENT_BRANCH in single quotes. Because these variables are derived from environment data such as directory names or git branch names, an attacker could craft a malicious directory or branch name containing a single quote and shell commands (e.g., 001-feat'$(id)') to achieve arbitrary code execution when the script is run.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes external files (spec.md, plan.md, tasks.md) that may contain untrusted content.
Ingestion points: Reads requirement and plan files from the FEATURE_DIR path.
Boundary markers: None identified. The skill does not use specific delimiters or instructions to treat the ingested file content as data only.
Capability inventory: The skill has the ability to execute local shell scripts and write files to the local filesystem.
Sanitization: No sanitization or filtering of the ingested content is performed before it is passed to the LLM for analysis.

speckit-checklist